Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Node.js Tar Extracts Files Outside Its Safe Area
DEBIAN-CVE-2026-26960
Summary
Versions of Node.js Tar below 7.5.8 may allow an attacker to read or write arbitrary files on the system. This happens when a malicious archive is extracted, allowing the attacker to access files outside the intended safe area. Update to version 7.5.8 or later to fix this issue.
What to do
- Update debian node-tar to version 6.2.1+ds1+~cs6.1.13-8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | node-tar | All versions | – |
| debian | node-tar | All versions | – |
| debian | node-tar | All versions | – |
| debian | node-tar | <= 6.2.1+ds1+~cs6.1.13-8 | 6.2.1+ds1+~cs6.1.13-8 |
Original title
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points...
Original description
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
osv CVSS3.1
7.1
- https://security-tracker.debian.org/tracker/CVE-2026-26960 Vendor Advisory
Published: 20 Feb 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026